From c19f221a41706efc8d73cef95c5e362c4f86bf06 Mon Sep 17 00:00:00 2001 From: Jack Anderson Date: Mon, 23 Jan 2023 10:51:07 +0000 Subject: [PATCH] SuiteCRM 7.12.9 Release --- .../JsonApi/Helper/AttributeObjectHelper.php | 22 +++++- README.md | 2 +- data/BeanFactory.php | 45 ++++++++++++ files.md5 | 72 +++++++++---------- include/InlineEditing/InlineEditing.php | 7 +- include/MySugar/MySugar.php | 5 ++ include/utils.php | 30 +++++++- install/install_utils.php | 6 +- .../JsonApi/v1/Resource/SuiteBeanResource.php | 7 ++ modules/AOS_Products/AOS_Products.php | 6 ++ modules/Administration/UpgradeWizard.php | 12 +++- modules/Campaigns/WebToPersonCapture.php | 13 ++-- modules/Campaigns/utils.php | 46 +++++++++--- modules/Contacts/ContactFormBase.php | 12 +++- modules/EmailTemplates/AttachFiles.php | 7 ++ .../include/ComposeView/ComposeView.tpl | 4 +- modules/Employees/Employee.php | 35 +++++++++ modules/Leads/LeadFormBase.php | 8 ++- modules/Prospects/ProspectFormBase.php | 48 +++++++------ modules/Users/User.php | 43 +++++++++-- suitecrm_version.php | 4 +- 21 files changed, 339 insertions(+), 95 deletions(-) diff --git a/Api/V8/JsonApi/Helper/AttributeObjectHelper.php b/Api/V8/JsonApi/Helper/AttributeObjectHelper.php index d44bb5317a6..d6315572191 100644 --- a/Api/V8/JsonApi/Helper/AttributeObjectHelper.php +++ b/Api/V8/JsonApi/Helper/AttributeObjectHelper.php @@ -29,6 +29,24 @@ public function getAttributes(\SugarBean $bean, $fields = null) { $bean->fixUpFormatting(); + $allowedField = []; + + $fieldsToParse = $fields; + if (empty($fields)) { + $fieldsToParse = array_keys($bean->field_defs); + } + + foreach ($fieldsToParse ?? [] as $index => $field) { + $isSensitive = isTrue($bean->field_defs[$field]['sensitive'] ?? false); + $notApiVisible = isFalse($bean->field_defs[$field]['api-visible'] ?? true); + + if ($isSensitive || $notApiVisible){ + continue; + } + + $allowedField[$index] = $field; + } + // using the ISO 8601 format for dates $attributes = array_map(function ($value) { return is_string($value) @@ -38,8 +56,8 @@ public function getAttributes(\SugarBean $bean, $fields = null) : $value; }, $bean->toArray()); - if ($fields !== null) { - $attributes = array_intersect_key($attributes, array_flip($fields)); + if ($allowedField !== null) { + $attributes = array_intersect_key($attributes, array_flip($allowedField)); } unset($attributes['id']); diff --git a/README.md b/README.md index 49d148bcd11..114d8a6e5f5 100755 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ -# SuiteCRM 7.12.8 +# SuiteCRM 7.12.9 [![Build Status](https://travis-ci.org/salesagility/SuiteCRM.svg?branch=hotfix)](https://travis-ci.org/salesagility/SuiteCRM) [![codecov](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix/graph/badge.svg)](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix) diff --git a/data/BeanFactory.php b/data/BeanFactory.php index e145e3d9e92..4fc0e37f075 100755 --- a/data/BeanFactory.php +++ b/data/BeanFactory.php @@ -151,6 +151,51 @@ public static function getBean($module, $id = null, $params = [], $deleted = tru return $bean; } + /** + * Returns a SugarBean object by id. + * + * @static + * + * @param string $module + * @param string $id + * @param array $params + * A name/value array of parameters. Names: encode, deleted. + * If $params is boolean we revert to the old arguments (encode, deleted), and use $params as $encode. + * This will be changed to using only $params in later versions. + * @param bool $deleted + * @see SugarBean::retrieve + * + * @return SugarBean|bool + */ + public static function getReloadedBean($module, $id = null, $params = [], $deleted = true) + { + $params = self::convertParams($params); + $encode = self::hasEncodeFlag($params); + $deleted = self::hasDeletedFlag($params, $deleted); + + $beanClass = self::getBeanClass($module); + + if (!self::loadBeanFile($module)) { + return false; + } + + if (empty($id)) { + return new $beanClass(); + } + + /* @var SugarBean $bean */ + $bean = new $beanClass(); + + $result = $bean->retrieve($id, $encode, $deleted); + + if ($result === null) { + return false; + } + + return $bean; + } + + /** * Shallow beans are created by SugarBean during the fill_in_relationship_fields method, and they differ from * 'complete' bean in that they do not have their own relate fields completed. diff --git a/files.md5 b/files.md5 index eee6f26dc02..e6fed77013a 100755 --- a/files.md5 +++ b/files.md5 @@ -1,5 +1,5 @@ '69a1e7b3d7755a2a63499a16ddae81cf', './Api/Core/Config/slim.php' => 'b134e68765e6a1403577e2a5a06322b8', @@ -37,7 +37,7 @@ $md5_string = array ( './Api/V8/Helper/ModuleListProvider.php' => 'a6f9b90116408bd7d708801b0cd04001', './Api/V8/Helper/OsHelper.php' => '3fa3a69441695035a66e877fbfd0d6c2', './Api/V8/Helper/VarDefHelper.php' => '986916d5e675667e5f5e89da6d8fc081', - './Api/V8/JsonApi/Helper/AttributeObjectHelper.php' => '8c2e2f889cefdc7912fd62da3e6a6f71', + './Api/V8/JsonApi/Helper/AttributeObjectHelper.php' => '3336452c51560f9a40c107d0ace78165', './Api/V8/JsonApi/Helper/PaginationObjectHelper.php' => 'dbeb8f36cc7b70ff9459443c26bdfb70', './Api/V8/JsonApi/Helper/RelationshipObjectHelper.php' => '6681a3fc26e420f12875d4239532946e', './Api/V8/JsonApi/Repository/Filter.php' => '21279c505e18aacd9f6aea51cc62a3bc', @@ -116,7 +116,7 @@ $md5_string = array ( './ModuleInstall/PackageManager/tpls/PackageManagerLicense.tpl' => 'df5e267d1df5ce08fb9406e42d5b4816', './ModuleInstall/PackageManager/tpls/PackageManagerScripts.tpl' => '98e396c0aa57329731fda19c790fffb2', './ModuleInstall/extensions.php' => '094f4650261f6efbab1b90b119829388', - './README.md' => '76ec8409ea1fa360d1255f693dfd5a40', + './README.md' => '01f0f8317b743d7d0318251b7d65ac3a', './RoboFile.php' => '045b82c1df69553824d0e4ffcce6e03c', './SugarSecurity.php' => '47e316b2d408e8c5192c8ea4a4f921b3', './TreeData.php' => '32873e20cb5fd33f9d1cdaf18c3cac5c', @@ -511,7 +511,7 @@ $md5_string = array ( './composer.lock' => '060badb951dc9a03fe4f77d748a56b12', './cron.php' => '0b8b6bd839a2232a8da074b31feaa708', './crossdomain.xml' => '24b7711640c652b21aa89c9d83d6ec13', - './data/BeanFactory.php' => '84b7c36b6a59ea8c5c4069659cc72950', + './data/BeanFactory.php' => '3007bf65ebc77baa76c338ce6a068790', './data/Link.php' => '6a1f4a706142e6231f8ee46f261341c0', './data/Link2.php' => '1e2ee0bfd94ff12c0a3b9323059a47ed', './data/Relationships/EmailAddressRelationship.php' => 'e2d4f642961cf992c931e57d02e0d122', @@ -550,7 +550,7 @@ $md5_string = array ( './include/DetailView/header.tpl' => '79e5e7385483e4486ac1f20d739d8cd5', './include/EditView/EditView.php' => '6bd1f5815f5c674416efd1e71a67bd65', './include/EditView/EditView.tpl' => '4458f5584adfdb8d54e74b8e867e048c', - './include/EditView/EditView2.php' => 'b2684fe27ec214563d935d5080dd9742', + './include/EditView/EditView2.php' => '7ad84a44d52c2d5ae9a7e51d170a0efc', './include/EditView/Panels.js' => '580266b80716d8e7003807189565e557', './include/EditView/PopupQuickCreate.php' => '09b22d51578ba228a89ba6a7e5f403c8', './include/EditView/QuickCreate.php' => 'dbd2c8b5be42047ada748e073b87ff90', @@ -595,7 +595,7 @@ $md5_string = array ( './include/Imap/ImapTestSettingsEntryHandler.php' => '3292a309c3331e60ab13f48c56e672c8', './include/Imap.php' => '0f93494ddbae70f85acdcbac5e92dbc5', './include/ImapInterface.php' => '1cc17060f7768a0e299fafdd66410baa', - './include/InlineEditing/InlineEditing.php' => '556f91cf67cb17620fb42a5bd607b7a6', + './include/InlineEditing/InlineEditing.php' => '981e9c7c35b0f2aefa192ebf46eb3c44', './include/InlineEditing/inlineEditing.js' => 'ebc8c66cf49a2bcc77265461a120fe3c', './include/JSON.php' => '7cff996ad7e96ff1583e0837f5070f29', './include/JsonApiErrorObject.php' => 'bd82e5413b53492f73cb66fa0fe35316', @@ -666,7 +666,7 @@ $md5_string = array ( './include/MVC/preDispatch.php' => 'f1720fa7dea86c02e0663227c2c08203', './include/MassUpdate.php' => 'e1e7bb76e9479209bc9fdb54411eae97', './include/MySugar/DashletsDialog/DashletsDialog.php' => '0b7c1af1bb21b3af9b735178de2f3a89', - './include/MySugar/MySugar.php' => 'c047f36230f6e720537e546ab32e4190', + './include/MySugar/MySugar.php' => 'eaffdea2231df9ec4a457fb57d499ca4', './include/MySugar/dashboardstyle.css' => '4cce65e52281263e484140a1d4b8d2e2', './include/MySugar/javascript/AddRemoveDashboardPages.js' => '6baf925bfcaa6c4ac01326af22c8e7c6', './include/MySugar/javascript/MySugar.js' => 'f6162f9799abadfdef9c5ea2668808e7', @@ -1209,7 +1209,7 @@ $md5_string = array ( './include/SugarTheme/SugarThemeRegistry.php' => '437a775ba6ef36dc87cb59d5ae1a3b14', './include/SugarTheme/cssmin.php' => 'ff649bb50d5dafcce509ed9d340b6d06', './include/SugarTheme/getImage.php' => 'd7963d20b0365d62c7d1c84ea3faf3ed', - './include/SugarTinyMCE.php' => '3e1df6fa7bcbb9e3caf75d97e1d8924b', + './include/SugarTinyMCE.php' => '9be7450638b50efe57ccc33bfbb35eb0', './include/Sugar_Smarty.php' => '9ce2f82df09600f42ccd1eee7bf78294', './include/Sugarpdf/FontManager.php' => '4f3e178b643571961d9f2590122342cc', './include/Sugarpdf/Sugarpdf.php' => '10f553017faf60a1ba027c96dea2d43d', @@ -1336,7 +1336,7 @@ $md5_string = array ( './include/database/FreeTDSManager.php' => '23ec109e38260e0ffa2a1676d486fd62', './include/database/MssqlManager.php' => '8ec8ad4bd3df1c19aa96b228f3b356a7', './include/database/MysqlManager.php' => 'e291bd0e38fde596a8bd1f6c75688eaa', - './include/database/MysqliManager.php' => '31cf1de8eba53e933ea116870129da12', + './include/database/MysqliManager.php' => '19025de16a37f6bb8ffb1b8c4e0ab34d', './include/database/SqlsrvManager.php' => 'ad3f8e07dce347f8cf1906e7e91ec776', './include/dir_inc.php' => '4ec954313ef7c8b164ec1232a1ec1bd7', './include/entryPoint.php' => '6c03ccc488eae94ac702743421951115', @@ -2280,7 +2280,7 @@ $md5_string = array ( './include/javascript/yui/build/yuitest/yuitest_core.js' => 'ed5230a0f4a885d8ea51c2fe78895d07', './include/javascript/yui/ygDDList.js' => '0cd9051a220de7e8c79bf5b9cccce10f', './include/json_config.php' => 'ba7fb6f2fb1df51bc367835406ef7ba5', - './include/language/en_us.lang.php' => '6963637150f1b221f9f70dd45d63bf87', + './include/language/en_us.lang.php' => 'aad6885d43921e1228b124d4c8b6222c', './include/language/en_us.notify_template.html' => 'c6a897ace7af46a44889dfab1a9d44c5', './include/language/getJSLanguage.php' => '1bc910bd5a9953fbf443d3d97fddbffa', './include/language/jsLanguage.php' => '3d27819dc00f2fe5426f72733a7edca1', @@ -2391,7 +2391,7 @@ $md5_string = array ( './include/utils/recaptcha_utils.php' => '73f5eddf707788c1dff4b7d07dc82656', './include/utils/security_utils.php' => 'e953d0b673df3df313ecf1ac975e8f57', './include/utils/sugar_file_utils.php' => '1c1915cad8c88feb0edbf5bbaee106c4', - './include/utils.php' => '55b02dfc0dc39c73996597a598b96264', + './include/utils.php' => '6107d7454bb0720ac43e498aca5e9e74', './include/vCard.php' => '44052bbedcdaba3fdf67cfc10a112e75', './include/ytree/ExtNode.php' => '000d4ccbdb6e0a7628c636128781b5e3', './include/ytree/JQueryTree.php' => '3712d2224b93818b990b876f8405b745', @@ -2482,7 +2482,7 @@ $md5_string = array ( './install/installSystemCheck.php' => 'd5f666ece13475386610cb7915ae3c93', './install/installType.php' => '7acf23c138ceafad2ce0393bd3c116f0', './install/install_defaults.php' => 'd25503407f0db14fa875b295d0f34ae5', - './install/install_utils.php' => '9910d3f9f63ac7fafd1ed474f8a773b1', + './install/install_utils.php' => '4a8c2ea13fcd9c5902f13a8660fc6263', './install/lang.config.php' => 'cb3e68fdb0600481497dcd60f0746aca', './install/language/en_us.lang.php' => '443a21c6c24b089d6dc085a3ebb588d8', './install/license.js' => '305c727ac2bd20adb6c169bf07b18a8e', @@ -2668,7 +2668,7 @@ $md5_string = array ( './lib/API/JsonApi/v1/Resource/Relationship.php' => '84cfef872f4c87f30844b784126a8c9e', './lib/API/JsonApi/v1/Resource/Resource.php' => '92ca69094721558c4c985642aa1e2b1d', './lib/API/JsonApi/v1/Resource/ResourceIdentifier.php' => 'b970064d6e903d3986b1e709b2ed14ca', - './lib/API/JsonApi/v1/Resource/SuiteBeanResource.php' => '70039bac401d7af441505cd9f78a9dd9', + './lib/API/JsonApi/v1/Resource/SuiteBeanResource.php' => '896c39fb5fdd461dfb87c092d220143d', './lib/API/JsonApi/v1/schema.json' => '1fe1aa9365e189712bedc71ee875bfd7', './lib/API/OAuth2/.htaccess' => '4fe6db46ff1074349c8ffbb840c30de9', './lib/API/OAuth2/Entities/AccessTokenEntity.php' => '7ae1d3fb58d93978e8802c6107c9b593', @@ -2791,9 +2791,9 @@ $md5_string = array ( './lib/Search/AOD/LuceneSearchEngine.php' => '7a589c07fae355ad81ba1893e40e1bb9', './lib/Search/BasicSearch/BasicSearchEngine.php' => '1f6ecd5faa8a58cd6d2e06da6ca35cd3', './lib/Search/ElasticSearch/ElasticSearchClientBuilder.php' => '4743c29fa00cb5d4025c974af7b79156', - './lib/Search/ElasticSearch/ElasticSearchEngine.php' => '89b2b27ef2c5dd8e7482360a8e499bfc', + './lib/Search/ElasticSearch/ElasticSearchEngine.php' => '728d22251a99bf9606170fc1b48279ef', './lib/Search/ElasticSearch/ElasticSearchHooks.php' => '8898cc8d7cec43f13352397be9397f3e', - './lib/Search/ElasticSearch/ElasticSearchIndexer.php' => '580d41b2ebfb016fff416f9cea38dd57', + './lib/Search/ElasticSearch/ElasticSearchIndexer.php' => '3775a9343fb6e0323a35a592c5b94f87', './lib/Search/ElasticSearch/ElasticSearchModuleDataPuller.php' => 'ad1144c9e9f58af496714d6dcdbdbaa5', './lib/Search/ElasticSearch/elasticsearch.example.json' => 'cd776b60993b4521cd5cfd79db95af46', './lib/Search/Exceptions/SearchEngineNotFoundException.php' => '4f83830aea088643ee87f82bd173d96d', @@ -2811,7 +2811,7 @@ $md5_string = array ( './lib/Search/SearchConfigurator.php' => '3da51dc9e7b6d9b8fcbd45c0a8db5759', './lib/Search/SearchEngine.php' => '92775fe01a004fb58f1bf6edcc9f3dc8', './lib/Search/SearchModules.php' => '5261f4a9ab7a7d690618aefa08c6ca76', - './lib/Search/SearchQuery.php' => 'ccc5b48e33c5bd4c1cc51be8f5889466', + './lib/Search/SearchQuery.php' => '523292cc81871ec25ac17a7ab96bc888', './lib/Search/SearchResults.php' => 'bdcdd0018e1fa375dc9c0344dd00b14e', './lib/Search/SearchWrapper.php' => '2aaaa78656373bbdb2f0187a208d60eb', './lib/Search/SqlSearch/SimpleSqlSearchEngine.php' => 'db160c7c333582c7028a59f2bed03fcb', @@ -2819,7 +2819,7 @@ $md5_string = array ( './lib/Search/UI/MVC/View.php' => '060017bf23671e429cca7187b72ddd2a', './lib/Search/UI/SearchFormController.php' => '2cf159703562da6348ece57ef68313b4', './lib/Search/UI/SearchFormView.php' => '15662e4bd9237044fe1b74f41632660d', - './lib/Search/UI/SearchResultsController.php' => '4670567daea7e976e25cd215150f79ed', + './lib/Search/UI/SearchResultsController.php' => '788728a30dc77334a9682e49ff9f0307', './lib/Search/UI/SearchResultsView.php' => 'ce2615a6390cfe62924d44fdfc7a18fa', './lib/Search/UI/SearchThrowableHandler.php' => '14cd2232a5a73df32a755e85a52cd7fd', './lib/Search/UI/templates/search.form.tpl' => '8a03f27dd8860270f7c91d64c211fffe', @@ -2829,7 +2829,7 @@ $md5_string = array ( './lib/Utility/AntiMalware/Providers/ClamTCP.php' => 'f5eab54f8e3bcaa605a036a69bbb99b1', './lib/Utility/AntiMalware/Providers/Sophos.php' => '6edbdf87006927ea647395bc945238f5', './lib/Utility/ApplicationLanguage.php' => '5bc996ea12af48ba0f167a50f699483a', - './lib/Utility/ArrayMapper.php' => '128538045d9530d999a46b90ed14c3c1', + './lib/Utility/ArrayMapper.php' => '03c31accfe841c560daafe3d2d86c672', './lib/Utility/BeanJsonSerializer.php' => 'f12bad930b18f23e5270139f46966733', './lib/Utility/BeanJsonSerializer.yml' => 'c9f6e3dae78a0061d5ed1612eb50c02d', './lib/Utility/Configuration.php' => '97f895c91d3f247b6fe7be7f063efbfa', @@ -3475,7 +3475,7 @@ $md5_string = array ( './modules/AOS_Product_Categories/metadata/subpanels/default.php' => '99ad7a758b45868e9fd9b8ff47a0cb5a', './modules/AOS_Product_Categories/vardefs.php' => '61d4bb3451abc9b6670a568b639f4673', './modules/AOS_Product_Categories/views/view.edit.php' => 'a8d92ffd0a368d1a25a7649d29228293', - './modules/AOS_Products/AOS_Products.php' => 'fe7e5ab6086a37067f029cbf80d55caf', + './modules/AOS_Products/AOS_Products.php' => '0f4f0237cd42e4cdece3d894a53ea9c1', './modules/AOS_Products/AOS_Products_sugar.php' => '6769da40aa102583900b9d4d32492906', './modules/AOS_Products/Dashlets/AOS_ProductsDashlet/AOS_ProductsDashlet.meta.php' => 'b7812541758289ffbefcf59e976a3f7e', './modules/AOS_Products/Dashlets/AOS_ProductsDashlet/AOS_ProductsDashlet.php' => 'ee6d24e58a380e0978c7e84c7cdd7005', @@ -3692,7 +3692,7 @@ $md5_string = array ( './modules/Administration/PasswordManager.php' => 'e997d11ecfbfe0352f863a814176efe9', './modules/Administration/PasswordManager.tpl' => '88d1898cf0bae5d3e053eb21ffc34ade', './modules/Administration/PasswordManagerSecurity.tpl' => '5010789c306f4c665e0ebe0466c9f50d', - './modules/Administration/QuickRepairAndRebuild.php' => '44b428d870c178243326bbf1d51cb6dd', + './modules/Administration/QuickRepairAndRebuild.php' => '14a4e14865732a12f4cbda21add1c8cc', './modules/Administration/RebuildAudit.php' => '7b1c137ae149d763e44053ae542a4432', './modules/Administration/RebuildConfig.php' => 'd1b925885ca4b6da62add9d26548c35c', './modules/Administration/RebuildDashlets.php' => 'e549bd62a92ffac96744a113a50835f0', @@ -3741,7 +3741,7 @@ $md5_string = array ( './modules/Administration/UpgradeFields.php' => 'd74cb90a6a24cae3c0b96a97a74d4d62', './modules/Administration/UpgradeHistory.php' => '14ba994d7b1d5eccfc4520855a0c4036', './modules/Administration/UpgradeIISAccess.php' => 'e5b6fce25e81a6a0d3e807c6fea6350e', - './modules/Administration/UpgradeWizard.php' => 'b4324887e5715f94d06fdc2c0f91ec1f', + './modules/Administration/UpgradeWizard.php' => 'd114a8c831c909d1a4c48b0afac7b8a0', './modules/Administration/UpgradeWizardCommon.php' => '92f7113707f3de797deb6b894ce81c6f', './modules/Administration/UpgradeWizard_commit.php' => '1fe823dac079bc5548debb7ecabcd625', './modules/Administration/UpgradeWizard_prepare.php' => 'dac1ff9e81b849f21af62a786be04836', @@ -4072,7 +4072,7 @@ $md5_string = array ( './modules/Campaigns/WebToLeadFormBuilder.php' => 'b3b054b279d69dd964fba557df665be1', './modules/Campaigns/WebToLeadFormBuilderOptInCheckbox.tpl' => '9fd68c7d266560b82eb7667f96792779', './modules/Campaigns/WebToLeadFormSave.php' => 'b2596e14bbfdfd9fd75a9a40dac243f6', - './modules/Campaigns/WebToPersonCapture.php' => '27e24a36a16897c8a4fac043c8b85516', + './modules/Campaigns/WebToPersonCapture.php' => 'c74104628b33fc9b2a31f2d46bf3809f', './modules/Campaigns/WizardCampaignSave.php' => 'f7a73bc932dcf289d4d5d94eee3ad138', './modules/Campaigns/WizardEmailSetup.html' => 'bdf9ae5e62512fba93fc6660ecc9bf64', './modules/Campaigns/WizardEmailSetup.php' => '5f7a49cf10fa319d90c32310a76fdce9', @@ -4111,7 +4111,7 @@ $md5_string = array ( './modules/Campaigns/tpls/WizardNewsletter.tpl' => '168198cad6b844c66c1f1b7bc0c0d7e3', './modules/Campaigns/tpls/campaign-inactive.tpl' => 'fa6ad86dabbbb0350649cdd48bda9801', './modules/Campaigns/tpls/progressStepsStyle.html' => '188a9323131c1665062b361e1a26df10', - './modules/Campaigns/utils.php' => 'ec1404fdd8f9051b132b776b08472854', + './modules/Campaigns/utils.php' => 'e923cf376d1da33da2230f332f9c1baa', './modules/Campaigns/vardefs.php' => '3356dc662190231795ec344641c886ab', './modules/Campaigns/views/view.classic.php' => 'd3dd10e40e7e6a9d5d0168996c80792f', './modules/Campaigns/views/view.detail.php' => '21ab18453038a4f2ee5458eea0a94ed9', @@ -4269,7 +4269,7 @@ $md5_string = array ( './modules/Contacts/Address_picker.html' => 'e5878e0dbf0eae9778916326c5065652', './modules/Contacts/Contact.js' => 'a10eea4494b774e047252eee82d9ea1c', './modules/Contacts/Contact.php' => 'a982bef94fd8e4b5a6d293f72edd428a', - './modules/Contacts/ContactFormBase.php' => '093d97d4d6020217c3d41d38136f78bc', + './modules/Contacts/ContactFormBase.php' => '4aa3fc8f820d2877c4840ea445ac60c4', './modules/Contacts/ContactOpportunityRelationship.php' => 'cb54d0dcae9e58cd49ea6e81fced4396', './modules/Contacts/ContactOpportunityRelationshipEdit.html' => '028042fe42f810730e817de72ec1e25f', './modules/Contacts/ContactOpportunityRelationshipEdit.php' => '3450ef1a5ce8e62769b6df6a4c55819a', @@ -4531,7 +4531,7 @@ $md5_string = array ( './modules/EmailMarketing/metadata/subpanels/default.php' => '63ed3aea960b881a004b988dec956b77', './modules/EmailMarketing/subpanels/default.php' => '7f0e18d1e0c7aee65734a6160264aef3', './modules/EmailMarketing/vardefs.php' => '6987d2c54c785fff2ac2acefff0cc01d', - './modules/EmailTemplates/AttachFiles.php' => '89b77bcfe0184454af0af2b6888d3f44', + './modules/EmailTemplates/AttachFiles.php' => '38b7dbce86a3bb85986f1001ae22b765', './modules/EmailTemplates/CheckDeletable.php' => 'af2ff708cf350fc5a506997907ca01db', './modules/EmailTemplates/Delete.php' => '669a71b4d7d39d10e29e50491d3a665c', './modules/EmailTemplates/DetailView.html' => 'a9b5cb480845b50a3b8a72e75a9ce31b', @@ -4599,7 +4599,7 @@ $md5_string = array ( './modules/Emails/controller.php' => '65d6d5ad5e977930403a2b89cb15004a', './modules/Emails/field_arrays.php' => 'f8ad985446f13141ea7365aa8565c500', './modules/Emails/include/ComposeView/ComposeView.php' => '45b1a69671ca5c5f2a8ab1455e9f730c', - './modules/Emails/include/ComposeView/ComposeView.tpl' => 'aee5736e992aecc485afbb5973d9e535', + './modules/Emails/include/ComposeView/ComposeView.tpl' => '02a1b64bfde0a319fcac90b1b9ebda13', './modules/Emails/include/ComposeView/ComposeViewBlank.tpl' => '22365ce6727ffb560e5ad3fc187f13f2', './modules/Emails/include/ComposeView/ComposeViewToolbar.tpl' => '656b26827857375278124e4610b9ff06', './modules/Emails/include/ComposeView/EmailsComposeView.js' => '0d361ec6c5e31920da6b2078bf2d0506', @@ -4713,7 +4713,7 @@ $md5_string = array ( './modules/Emails/views/view.popup.php' => '4ff1e52f105970c29fed966e2f058dd3', './modules/Emails/views/view.savedraftemail.php' => '000c8d786c87e0ad997fc5de443d9b2c', './modules/Emails/views/view.sendemail.php' => '78784b11ddb5257b0f3f5c59c9db17a1', - './modules/Employees/Employee.php' => '54eaa8f299aa57e555f316b80e71eaab', + './modules/Employees/Employee.php' => 'acf053a95024ad9d06d55457fc641d6f', './modules/Employees/EmployeeStatus.php' => 'a2be5cfeb49ef4f8deec01de9686edb9', './modules/Employees/EmployeesSearchForm.php' => '0437d91e2221d02c38e0db6830fef057', './modules/Employees/EmployeesStudioModule.php' => '5b71bea7b6e7b7a77bc5a48d4fb10a55', @@ -4976,7 +4976,7 @@ $md5_string = array ( './modules/Leads/Dashlets/MyLeadsDashlet/MyLeadsDashlet.php' => 'be81a158e3df10a2f27cca07ce5c12f7', './modules/Leads/Lead.js' => 'b52ff138ccdb1b4bb79a0ff9870d6feb', './modules/Leads/Lead.php' => '85d8e4016282c0f3f1cd893dde8a3170', - './modules/Leads/LeadFormBase.php' => 'ad656b689844598451098ad61f43ab87', + './modules/Leads/LeadFormBase.php' => '2c1645940849161817ce36e836c6f028', './modules/Leads/LeadsJjwg_MapsLogicHook.php' => '453c9c2a0bcc6f4b28d0c4e477b09fa5', './modules/Leads/LeadsListViewSmarty.php' => '15081edc09444a603f3dc5c7d0107cae', './modules/Leads/LeadsQuickCreate.php' => '6b00e0ce840f11b87a9235be6a4568f8', @@ -5522,7 +5522,7 @@ $md5_string = array ( './modules/Prospects/Menu.php' => '0af2124f64e4563183672100b6f8911e', './modules/Prospects/Popup_picker.html' => 'a56ae077172b05ac9e95cb3218fd6615', './modules/Prospects/Prospect.php' => '8c6bcbc1b442b43354da6ad6a445f285', - './modules/Prospects/ProspectFormBase.php' => 'b48c69d3a1f89a43ac79fbd6febb0f1f', + './modules/Prospects/ProspectFormBase.php' => '0fd6256da04924ebd8968edb2723bc34', './modules/Prospects/ProspectsJjwg_MapsLogicHook.php' => '24a7bb2a9708bfc07dbc732f69ceae85', './modules/Prospects/ProspectsListViewSmarty.php' => '87d98922c2a470620706ccb69f817c43', './modules/Prospects/Save.php' => '8d48a85c6b8db36d63fe554573196a9f', @@ -5712,7 +5712,7 @@ $md5_string = array ( './modules/Studio/TabGroups.php' => '0b53258e874bf76af6ba4e698fe1faf2', './modules/Studio/config.php' => 'ffcfb2aaf49f4c2735abdbd8116db4b3', './modules/Studio/language/en_us.lang.php' => 'e5d8138b1cb0465f26e362de69a02b51', - './modules/Studio/parsers/StudioParser.php' => '3df803d50e322cea269673d0f6c5470d', + './modules/Studio/parsers/StudioParser.php' => 'dbd08a554f38f79d34a44e36c6477dc8', './modules/Studio/studio.js' => '4fb625bbde873e47be7230e1fd1bb067', './modules/Studio/studiodd.js' => '88e575cd322889b4d300152eb11bc3ee', './modules/Studio/studiotabgroups.js' => '612e25ce77d7bb265511698814e7f03c', @@ -5827,7 +5827,7 @@ $md5_string = array ( './modules/Surveys/Entry/SurveySubmit.php' => '973c1a318b9a9d95d72d56037b68c04f', './modules/Surveys/Entry/Thanks.php' => '6eff234e04438f049e4e4b9d8758f633', './modules/Surveys/Lines/Lines.php' => '0332378d16368686f29d959eac1842ed', - './modules/Surveys/Menu.php' => 'ecfbb08b99bb8e379eecd436b4922856', + './modules/Surveys/Menu.php' => 'ba18e736af4a1d2a261fbf67d3f174b2', './modules/Surveys/Surveys.php' => 'e9d5c639799ac830281414c7f38d1272', './modules/Surveys/Utils/utils.php' => 'a83853c0fe095b0c2d6b2296a0d9ab42', './modules/Surveys/controller.php' => '0dd5f1a9f4feca78ee0d64f124f47285', @@ -5995,7 +5995,7 @@ $md5_string = array ( './modules/Users/SetTimezone.tpl' => 'f0fb5ed64fae81a5657ebc8f167967c9', './modules/Users/UpdateTourStatus.php' => 'cc111e28e6df1d96b98678661dd42490', './modules/Users/User.js' => '351f8d8e74bd1bd0a56dcc2bae31b147', - './modules/Users/User.php' => 'a75ad79197349bc156f9365ef3830b9c', + './modules/Users/User.php' => '5edd56612b566c0d8b6199f6e2973575', './modules/Users/UserEditView.js' => '421e1c38f1ee78933134b987b7c3c251', './modules/Users/UserEmailOptions.tpl' => '96b848efbf7f6d4fee7b6bf13a1a1aee', './modules/Users/UserEmailSettings.tpl' => '5d9ff3379f63dcf7c5efbbcc3e88d8ed', @@ -6054,7 +6054,7 @@ $md5_string = array ( './modules/Users/password_utils.php' => 'c445ba371decfae7afb76ad09c060e8a', './modules/Users/reassignUserRecords.php' => '0db6428f348ea8ab23a1bd88a5725339', './modules/Users/tpls/DetailView.tpl' => '2b5edc433a18eab9e1dc24f55c015ced', - './modules/Users/tpls/EditViewFooter.tpl' => '3468ee673ada79bdb8129aeca2a739b6', + './modules/Users/tpls/EditViewFooter.tpl' => '09e287fec2fef683c1aedd71598e52e5', './modules/Users/tpls/EditViewGroup.tpl' => '97bbb48546d0b13a60dac111abb8358a', './modules/Users/tpls/EditViewHeader.tpl' => '099f5e4896d623b64d44f243c33941b2', './modules/Users/tpls/QuickEditFooter.tpl' => 'b7a9c930f9e885fcc51b7da358411c31', @@ -6282,7 +6282,7 @@ $md5_string = array ( './soap.php' => 'e28988c2e0b8e2c484587b537a710525', './sugar_version.json' => 'bdfbcefae2f9af559bef6a36367df7bb', './sugar_version.php' => 'db7b6c8d51f87879fce1e6172eedfbed', - './suitecrm_version.php' => '1b607bcbe64dcc887e9f205ef6d22071', + './suitecrm_version.php' => '4ef3194ff974804a8f3481681fcfc7ff', './themes/SuiteP/css/Dawn/color-palette.scss' => 'e64677d79e1d68c069bdc2dc661c4f99', './themes/SuiteP/css/Dawn/icons.scss' => 'd59f8c5855e7a8df09542a663835a196', './themes/SuiteP/css/Dawn/select.ico' => '22393ad23f16c3f1462455bae8f20279', @@ -7691,7 +7691,7 @@ $md5_string = array ( './themes/SuiteP/images/wizmenu/right-empty.png' => 'd3037d7c75385e7d5a5708092e8cb94c', './themes/SuiteP/images/wizmenu/right-full.png' => '2f6f9936252b8c9dfd7bb71b140061e5', './themes/SuiteP/include/Dashlets/DashletHeader.tpl' => '09e4767d1ff01a830c0de2706e833a11', - './themes/SuiteP/include/DetailView/DetailView.tpl' => 'ff62ab3dc8d5b6e91a4c1041c043592e', + './themes/SuiteP/include/DetailView/DetailView.tpl' => 'ca729f1cf4e16c84566d69d5d471bdfb', './themes/SuiteP/include/DetailView/actions_buttons.tpl' => '8a6fff7933b92178c28f5a58feddef75', './themes/SuiteP/include/DetailView/actions_menu.tpl' => '43988446570fc2820b7b0fb3da42e199', './themes/SuiteP/include/DetailView/footer.tpl' => '74cd1da7edd3386ee51db3e8ba8bb53b', @@ -9208,4 +9208,4 @@ $md5_string = array ( './themes/default/less/wells.less' => '07cc7d04d7f7f344742f23886cbe5683', './vCard.php' => '3f5273501c464563e5b1247be28b69de', './vcal_server.php' => 'ce4752597ba62a99f791c467339d2500', -); +); \ No newline at end of file diff --git a/include/InlineEditing/InlineEditing.php b/include/InlineEditing/InlineEditing.php index 72fbc9aae34..398e5e1ea93 100755 --- a/include/InlineEditing/InlineEditing.php +++ b/include/InlineEditing/InlineEditing.php @@ -52,6 +52,11 @@ function getEditFieldHTML($module, $fieldname, $aow_field, $view = 'EditView', $ return false; } + $vardef = $bean->getFieldDefinition($fieldname); + + if (isTrue($vardef['sensitive'] ?? false) || isFalse($vardef['api-visible'] ?? true)){ + return false; + } $value = getFieldValueFromModule($fieldname, $module, $id); // use the mod_strings for this module @@ -126,7 +131,7 @@ function getEditFieldHTML($module, $fieldname, $aow_field, $view = 'EditView', $ if (isset($vardef['name']) && ($vardef['name'] == 'date_modified')) { $vardef['name'] = 'aow_temp_date'; } - + if (isset($vardef['help'])) { $vardef['help'] = htmlspecialchars($vardef['help'],ENT_QUOTES); } diff --git a/include/MySugar/MySugar.php b/include/MySugar/MySugar.php index 05584272711..733eba19257 100755 --- a/include/MySugar/MySugar.php +++ b/include/MySugar/MySugar.php @@ -95,6 +95,11 @@ public function addDashlet() $dashlets = $current_user->getPreference('dashlets', $this->type); + if (!empty($_POST['type_module']) && stripos($_POST['type_module'], 'phar://') !== false) { + LoggerManager::getLogger()->security('MySugar:addDashlet unsecure type_module received: ' . $_POST['type_module']); + throw new RuntimeException('Invalid type_module'); + } + $guid = create_guid(); $options = array(); if (isset($_POST['type'], $_POST['type_module']) && $_POST['type'] == 'web') { diff --git a/include/utils.php b/include/utils.php index 46c9709cee0..13c321e57a8 100755 --- a/include/utils.php +++ b/include/utils.php @@ -206,6 +206,9 @@ function make_sugar_config(&$sugar_config) 'php3', 'php4', 'php5', + 'php6', + 'php7', + 'php8', 'pl', 'cgi', 'py', @@ -468,6 +471,9 @@ function get_sugar_config_defaults(): array 'php3', 'php4', 'php5', + 'php6', + 'php7', + 'php8', 'pl', 'cgi', 'py', @@ -485,7 +491,8 @@ function get_sugar_config_defaults(): array 'png', 'jpg', 'jpeg', - 'svg' + 'svg', + 'bmp' ], 'allowed_preview' => [ 'pdf', @@ -1351,7 +1358,7 @@ function return_module_language($language, $module, $refresh = false) global $currentModule; // Jenny - Bug 8119: Need to check if $module is not empty - if (empty($module)) { + if (empty($module) || !isAllowedModuleName($module)) { $GLOBALS['log']->warn('Variable module is not in return_module_language, see more info: debug_backtrace()'); return array(); @@ -6025,3 +6032,22 @@ function get_id_validation_pattern(): string { return $pattern; } + +/** + * Check if is string is an allowed module name + * @param string $value + * @return bool + */ +function isAllowedModuleName(string $value): bool { + if (empty($value)) { + return false; + } + + $result = preg_match("/^[\w\-\_\.]+$/", $value); + + if (!empty($result)) { + return true; + } + + return false; +} diff --git a/install/install_utils.php b/install/install_utils.php index ff930082dc5..bfdfd362abe 100755 --- a/install/install_utils.php +++ b/install/install_utils.php @@ -994,7 +994,7 @@ function handleHtaccess() $restrict_str .= <<id = 1; diff --git a/lib/API/JsonApi/v1/Resource/SuiteBeanResource.php b/lib/API/JsonApi/v1/Resource/SuiteBeanResource.php index 1ab79698fbc..7252625cdf7 100644 --- a/lib/API/JsonApi/v1/Resource/SuiteBeanResource.php +++ b/lib/API/JsonApi/v1/Resource/SuiteBeanResource.php @@ -115,6 +115,13 @@ public function fromSugarBean($sugarBean, $source = ResourceEnum::DEFAULT_SOURCE throw $exception; } + $isSensitive = isTrue($definition['sensitive'] ?? false); + $notApiVisible = isFalse($definition['api-visible'] ?? true); + + if ($isSensitive || $notApiVisible){ + continue; + } + if ($definition['type'] === 'datetime' && isset($sugarBean->$fieldName)) { // Convert to DB date $datetime = $dateTimeConverter->fromUser($sugarBean->$fieldName); diff --git a/modules/AOS_Products/AOS_Products.php b/modules/AOS_Products/AOS_Products.php index 54e276ce135..07ee4080d03 100755 --- a/modules/AOS_Products/AOS_Products.php +++ b/modules/AOS_Products/AOS_Products.php @@ -64,6 +64,12 @@ public function save($check_notify = false) require_once('include/upload_file.php'); $GLOBALS['log']->debug('UPLOADING PRODUCT IMAGE'); + $imageFileName = $_FILES['uploadimage']['name'] ?? ''; + if (!has_valid_image_extension('AOS_Products Uploaded image file: ' . $imageFileName , $imageFileName)) { + LoggerManager::getLogger()->fatal("AOS_Products save - Invalid image file ext : '$imageFileName'."); + throw new RuntimeException('Invalid request'); + } + if (!empty($_FILES['uploadimage']['tmp_name']) && verify_uploaded_image($_FILES['uploadimage']['tmp_name'])) { if ($_FILES['uploadimage']['size'] > $sugar_config['upload_maxsize']) { die($mod_strings['LBL_IMAGE_UPLOAD_FAIL'] . $sugar_config['upload_maxsize']); diff --git a/modules/Administration/UpgradeWizard.php b/modules/Administration/UpgradeWizard.php index 4229efb46ff..a6e138a0226 100755 --- a/modules/Administration/UpgradeWizard.php +++ b/modules/Administration/UpgradeWizard.php @@ -106,9 +106,15 @@ function unlinkTempFiles() $perform = true; $base_filename = urldecode($tempFile); } elseif (!empty($_REQUEST['load_module_from_dir'])) { - $moduleDir = $_REQUEST['load_module_from_dir']; - if (strpos($moduleDir, 'phar://') !== false) { - die(); + $moduleDir = $_REQUEST['load_module_from_dir'] ?? ''; + if (stripos($moduleDir, 'phar://') !== false) { + LoggerManager::getLogger()->fatal("UpgradeWizard - invalid load_module_from_dir: " . $moduleDir); + throw new RuntimeException('Invalid request'); + } + + if (strtolower(pathinfo(urldecode($_REQUEST['upgrade_zip_escaped'] ?? ''), PATHINFO_EXTENSION)) !== 'zip'){ + LoggerManager::getLogger()->fatal("UpgradeWizard - invalid upgrade_zip_escaped: " . $_REQUEST['upgrade_zip_escaped'] ?? ''); + throw new RuntimeException("Invalid request"); } //copy file to proper location then call performSetup copy($moduleDir . '/' . $_REQUEST['upgrade_zip_escaped'], "upload://" . $_REQUEST['upgrade_zip_escaped']); diff --git a/modules/Campaigns/WebToPersonCapture.php b/modules/Campaigns/WebToPersonCapture.php index 2014ca2d179..e73e50a0616 100644 --- a/modules/Campaigns/WebToPersonCapture.php +++ b/modules/Campaigns/WebToPersonCapture.php @@ -54,6 +54,11 @@ die('Not a valid module directory'); } +if (!isValidWebToPersonModule($moduleDir)) { + LoggerManager::getLogger()->fatal('Trying to run WepToPersonCapture for invalid module: ' . $moduleDir); + throw new RuntimeException('Not a valid module'); +} + global $app_strings, $sugar_config, $timedate, $current_user; $mod_strings = return_module_language($sugar_config['default_language'], $moduleDir); @@ -120,7 +125,7 @@ //As form base items are not necessarily in place for the custom classes that extend Person, cannot use //the hendleSave method of the formbase - + $optInEmailFields = array(); $optInPrefix = 'opt_in_'; @@ -209,8 +214,8 @@ $sea->AddUpdateEmailAddress($person->email2, 0, 1); } } - - + + if (!empty($optInEmailFields)) { // Look for opted out $optedOut = array(); @@ -342,7 +347,7 @@ $log = LoggerManager::getLogger(); $log->error('Success but some error occurred: ' . implode(', ', $errors)); } - + //If the custom module does not have a LBL_THANKS_FOR_SUBMITTING label, default to this general one echo $app_strings['LBL_THANKS_FOR_SUBMITTING']; } diff --git a/modules/Campaigns/utils.php b/modules/Campaigns/utils.php index ca66c5ebeb8..a2c7687fc04 100755 --- a/modules/Campaigns/utils.php +++ b/modules/Campaigns/utils.php @@ -54,7 +54,7 @@ *name and list of all prospects associated with this campaign.. * */ -function get_message_scope_dom($campaign_id, $campaign_name, $db=null, $mod_strings=array()) +function get_message_scope_dom($campaign_id, $campaign_name, $db = null, $mod_strings = array()) { if (empty($db)) { $db = DBManagerFactory::getInstance(); @@ -65,7 +65,7 @@ function get_message_scope_dom($campaign_id, $campaign_name, $db=null, $mod_stri } //find prospect list attached to this campaign.. - $query = "SELECT prospect_list_id, prospect_lists.name "; + $query = "SELECT prospect_list_id, prospect_lists.name "; $query .= "FROM prospect_list_campaigns "; $query .= "INNER join prospect_lists on prospect_lists.id = prospect_list_campaigns.prospect_list_id "; $query .= "WHERE prospect_lists.deleted = 0 "; @@ -297,7 +297,7 @@ function log_campaign_activity($identifier, $activity, $update = true, $clicked_ //values for return array.. $return_array['target_id'] = $row['target_id']; $return_array['target_type'] = $row['target_type']; - + // quote variable first $dataArrayKeys = array_keys($data); $dataArrayKeysQuoted = array(); @@ -305,13 +305,13 @@ function log_campaign_activity($identifier, $activity, $update = true, $clicked_ $dataArrayKeysQuoted[] = $db->quote($dataArrayKey); } $dataArrayKeysQuotedImplode = implode(', ', $dataArrayKeysQuoted); - + $insert_query = "INSERT into campaign_log (" . $dataArrayKeysQuotedImplode . ")"; - + $dataArrayValuesQuotedImplode = implode(', ', array_values($data)); - + $insert_query .= " VALUES (" . $dataArrayValuesQuotedImplode . ")"; - + $db->query($insert_query); } } else { @@ -331,7 +331,7 @@ function log_campaign_activity($identifier, $activity, $update = true, $clicked_ $rowCampaignIdQuoted = $db->quote($row['campaign_id']); $query = "SELECT campaigns.* FROM campaigns WHERE campaigns.id = '" . $rowCampaignIdQuoted . "' "; $result = $db->query($query); - + if (!empty($result)) { $c_row = $db->fetchByAssoc($result); @@ -1160,3 +1160,33 @@ function filterFieldsFromBeans($beans) } return $formattedBeans; } + +/** + * Get valid web to person modules + * @return array + */ +function getValidWebToPersonModules(): array +{ + $superclass = 'Person'; + $modules = []; + foreach ($GLOBALS['moduleList'] as $mod) { + $item = BeanFactory::getBean($mod); + if ($item && is_subclass_of($item, $superclass)) { + $modules[] = $item->module_name; + } + } + + return $modules; +} + +/** + * Check if it is a valid WebToPerson module + * @param string $module + * @return bool + */ +function isValidWebToPersonModule(string $module): bool +{ + $validModules = getValidWebToPersonModules(); + + return in_array($module, $validModules, true); +} diff --git a/modules/Contacts/ContactFormBase.php b/modules/Contacts/ContactFormBase.php index 11ecbe0d96a..b9dffc451bd 100755 --- a/modules/Contacts/ContactFormBase.php +++ b/modules/Contacts/ContactFormBase.php @@ -73,15 +73,21 @@ public function getDuplicateQuery($focus, $prefix='') // Bug #46427 : Records from other Teams shown on Potential Duplicate Contacts screen during Lead Conversion // add team security + $dbManager = DBManagerFactory::getInstance(); + $query .= ' where contacts.deleted = 0 AND '; if (isset($_POST[$prefix.'first_name']) && strlen($_POST[$prefix.'first_name']) != 0 && isset($_POST[$prefix.'last_name']) && strlen($_POST[$prefix.'last_name']) != 0) { - $query .= " contacts.first_name LIKE '". $_POST[$prefix.'first_name'] . "%' AND contacts.last_name = '". $_POST[$prefix.'last_name'] ."'"; + $firstName = $dbManager->quote($_POST[$prefix.'first_name' ?? '']); + $lastName = $dbManager->quote($_POST[$prefix.'last_name' ?? '']); + $query .= " contacts.first_name LIKE '". $firstName . "%' AND contacts.last_name = '". $lastName ."'"; } else { - $query .= " contacts.last_name = '". $_POST[$prefix.'last_name'] ."'"; + $lastName = $dbManager->quote($_POST[$prefix.'last_name' ?? '']); + $query .= " contacts.last_name = '". $lastName ."'"; } if (!empty($_POST[$prefix.'record'])) { - $query .= " AND contacts.id != '". $_POST[$prefix.'record'] ."'"; + $record = $dbManager->quote($_POST[$prefix.'record' ?? '']); + $query .= " AND contacts.id != '". $record ."'"; } return $query; } diff --git a/modules/EmailTemplates/AttachFiles.php b/modules/EmailTemplates/AttachFiles.php index d725cee178c..fdd09762919 100755 --- a/modules/EmailTemplates/AttachFiles.php +++ b/modules/EmailTemplates/AttachFiles.php @@ -61,6 +61,13 @@ foreach ($_FILES as $k => $file) { if (in_array(strtolower($_FILES[$k]['type']), $imgType) && $_FILES[$k]['size'] > 0) { + $fileName = $_FILES[$k]['name'] ?? ''; + + if (!has_valid_image_extension('Attach Files Uploaded file: ' . $fileName , $fileName)) { + LoggerManager::getLogger()->fatal("EmailTemplates AttachFiles - Invalid file ext : '$fileName'."); + throw new RuntimeException('Invalid request'); + } + $upload_file = new UploadFile($k); // check the file if ($upload_file->confirm_upload()) { diff --git a/modules/Emails/include/ComposeView/ComposeView.tpl b/modules/Emails/include/ComposeView/ComposeView.tpl index d38319acfd9..87808e14a8d 100644 --- a/modules/Emails/include/ComposeView/ComposeView.tpl +++ b/modules/Emails/include/ComposeView/ComposeView.tpl @@ -256,8 +256,8 @@ $(document).ready(function() {ldelim} $('#ComposeView').EmailsComposeView({if $RETURN_MODULE != 'Emails' && $RETURN_ID}{ldelim} 'attachment': {ldelim} - 'module': '{$RETURN_MODULE}', - 'id': '{$RETURN_ID}' + 'module': '{$RETURN_MODULE|escape:'javascript'}', + 'id': '{$RETURN_ID|escape:'javascript'}' {rdelim} {rdelim}{/if}); {rdelim}); diff --git a/modules/Employees/Employee.php b/modules/Employees/Employee.php index 214a12ba5b2..80bb010e040 100755 --- a/modules/Employees/Employee.php +++ b/modules/Employees/Employee.php @@ -318,6 +318,9 @@ public function save($check_notify = false) throw new RuntimeException('Not authorized'); } + // If the current user is not an admin, reset the admin flag to the original value. + $this->setIsAdmin(); + return parent::save($check_notify); } @@ -341,4 +344,36 @@ protected function hasSaveAccess(): bool return $sameUser || is_admin($current_user); } + + /** + * Reset is_admin if current user is not an admin user + * @return void + */ + protected function setIsAdmin(): void + { + global $current_user; + + if (!isset($this->is_admin)) { + return; + } + + $originalIsAdminValue = $this->is_admin ?? false; + if ($this->isUpdate() && isset($this->fetched_row['is_admin'])) { + $originalIsAdminValue = isTrue($this->fetched_row['is_admin'] ?? false); + } + + $currentUserReloaded = BeanFactory::getReloadedBean('Users', $current_user->id); + if (!is_admin($currentUserReloaded)) { + $this->is_admin = $originalIsAdminValue; + } + + } + + /** + * @return bool + */ + protected function isUpdate(): bool + { + return !empty($this->id) && !$this->new_with_id; + } } diff --git a/modules/Leads/LeadFormBase.php b/modules/Leads/LeadFormBase.php index 52c96ba7bd2..dffdb2c9799 100755 --- a/modules/Leads/LeadFormBase.php +++ b/modules/Leads/LeadFormBase.php @@ -67,11 +67,15 @@ public function getDuplicateQuery($focus, $prefix='') $query .= " WHERE deleted != 1 AND (status <> 'Converted' OR status IS NULL) AND "; + $dbManager = DBManagerFactory::getInstance(); //Use the first and last name from the $_POST to filter. If only last name supplied use that if (isset($_POST[$prefix.'first_name']) && strlen($_POST[$prefix.'first_name']) != 0 && isset($_POST[$prefix.'last_name']) && strlen($_POST[$prefix.'last_name']) != 0) { - $query .= " (first_name='". $_POST[$prefix.'first_name'] . "' AND last_name = '". $_POST[$prefix.'last_name'] ."')"; + $firstName = $dbManager->quote($_POST[$prefix.'first_name' ?? '']); + $lastName = $dbManager->quote($_POST[$prefix.'last_name' ?? '']); + $query .= " (first_name='". $firstName . "' AND last_name = '". $lastName ."')"; } else { - $query .= " last_name = '". $_POST[$prefix.'last_name'] ."'"; + $lastName = $dbManager->quote($_POST[$prefix.'last_name' ?? '']); + $query .= " last_name = '". $lastName ."'"; } return $query; } diff --git a/modules/Prospects/ProspectFormBase.php b/modules/Prospects/ProspectFormBase.php index bc0529e0263..204b56549e7 100755 --- a/modules/Prospects/ProspectFormBase.php +++ b/modules/Prospects/ProspectFormBase.php @@ -55,36 +55,44 @@ public function checkForDuplicates($prefix) { global $local_log; require_once('include/formbase.php'); - + $focus = BeanFactory::newBean('Prospects'); if (!checkRequired($prefix, array_keys($focus->required_fields))) { return null; } + + $dbManager = DBManagerFactory::getInstance(); + $query = ''; $baseQuery = 'select id,first_name, last_name, title, email1, email2 from prospects where deleted!=1 and ('; if (!empty($_POST[$prefix.'first_name']) && !empty($_POST[$prefix.'last_name'])) { - $query = $baseQuery ." (first_name like '". $_POST[$prefix.'first_name'] . "%' and last_name = '". $_POST[$prefix.'last_name'] ."')"; + $firstName = $dbManager->quote($_POST[$prefix.'first_name' ?? '']); + $lastName = $dbManager->quote($_POST[$prefix.'last_name' ?? '']); + $query = $baseQuery ." (first_name like '". $firstName . "%' and last_name = '". $lastName ."')"; } else { - $query = $baseQuery ." last_name = '". $_POST[$prefix.'last_name'] ."'"; + $lastName = $dbManager->quote($_POST[$prefix.'last_name' ?? '']); + $query = $baseQuery ." last_name = '". $lastName ."'"; } if (!empty($_POST[$prefix.'email1'])) { + $email1 = $dbManager->quote($_POST[$prefix.'email1' ?? '']); if (empty($query)) { - $query = $baseQuery. " email1='". $_POST[$prefix.'email1'] . "' or email2 = '". $_POST[$prefix.'email1'] ."'"; + $query = $baseQuery. " email1='". $email1 . "' or email2 = '". $email1 ."'"; } else { - $query .= "or email1='". $_POST[$prefix.'email1'] . "' or email2 = '". $_POST[$prefix.'email1'] ."'"; + $query .= "or email1='". $email1 . "' or email2 = '". $email1 ."'"; } } if (!empty($_POST[$prefix.'email2'])) { + $email2 = $dbManager->quote($_POST[$prefix.'email2' ?? '']); if (empty($query)) { - $query = $baseQuery. " email1='". $_POST[$prefix.'email2'] . "' or email2 = '". $_POST[$prefix.'email2'] ."'"; + $query = $baseQuery. " email1='". $email2 . "' or email2 = '". $email2 ."'"; } else { - $query .= "or email1='". $_POST[$prefix.'email2'] . "' or email2 = '". $_POST[$prefix.'email2'] ."'"; + $query .= "or email1='". $email2 . "' or email2 = '". $email2 ."'"; } } if (!empty($query)) { $rows = array(); - + $db = DBManagerFactory::getInstance(); $result = $db->query($query.');'); while ($row = $db->fetchByAssoc($result)) { @@ -138,7 +146,7 @@ public function buildTableForm($rows, $mod='') if ($action != 'ShowDuplicates') { $form .= "[${app_strings['LBL_SELECT_BUTTON_LABEL']}]  \n"; } - + $wasSet = false; foreach ($row as $key=>$value) { @@ -172,7 +180,7 @@ public function getWideFormBody($prefix, $mod='', $formname='', $prospect = '') if (!ACLController::checkAccess('Prospects', 'edit', true)) { return ''; } - + if (empty($prospect)) { $prospect = BeanFactory::newBean('Prospects'); } @@ -401,15 +409,15 @@ public function getForm($prefix, $mod='') public function handleSave($prefix, $redirect=true, $useRequired=false) { global $theme; - - - - + + + + require_once('include/formbase.php'); - + global $timedate; - - + + $focus = BeanFactory::newBean('Prospects'); if ($useRequired && !checkRequired($prefix, array_keys($focus->required_fields))) { return null; @@ -421,14 +429,14 @@ public function handleSave($prefix, $redirect=true, $useRequired=false) if (!isset($GLOBALS['check_notify'])) { $GLOBALS['check_notify']=false; } - + if (!isset($_POST[$prefix.'email_opt_out'])) { $focus->email_opt_out = 0; } if (!isset($_POST[$prefix.'do_not_call'])) { $focus->do_not_call = 0; } - + if (empty($_POST['record']) && empty($_POST['dup_checked'])) { /* // we don't check dupes on Prospects - this is the dirtiest data in the system @@ -479,7 +487,7 @@ public function handleSave($prefix, $redirect=true, $useRequired=false) $focus->save($GLOBALS['check_notify']); $return_id = $focus->id; - + $GLOBALS['log']->debug("Saved record with id of ".$return_id); if (isset($_POST['popup']) && $_POST['popup'] == 'true') { $get = '&module='; diff --git a/modules/Users/User.php b/modules/Users/User.php index 6686cd90dde..085d7241551 100755 --- a/modules/Users/User.php +++ b/modules/Users/User.php @@ -612,7 +612,7 @@ public function save($check_notify = false) $msg = ''; - $isUpdate = !empty($this->id) && !$this->new_with_id; + $isUpdate = $this->isUpdate(); //No SMTP server is set up Error. $admin = BeanFactory::newBean('Administration'); @@ -664,17 +664,16 @@ public function save($check_notify = false) // wp: do not save user_preferences in this table, see user_preferences module $this->user_preferences = ''; + + // If the current user is not an admin, reset the admin flag to the original value. + $this->setIsAdmin(); + // if this is an admin user, do not allow is_group or portal_only flag to be set. if ($this->is_admin) { $this->is_group = 0; $this->portal_only = 0; } - // If the current user is not an admin, do not allow them to set the admin flag to true. - if (!is_admin($current_user)) { - $this->is_admin = 0; - } - // set some default preferences when creating a new user $setNewUserPreferences = empty($this->id) || !empty($this->new_with_id); @@ -2467,4 +2466,36 @@ protected function hasSaveAccess(): bool return $sameUser || is_admin($current_user); } + + /** + * Reset is_admin if current user is not an admin user + * @return void + */ + protected function setIsAdmin(): void + { + global $current_user; + if (!isset($this->is_admin)) { + return; + } + + + $originalIsAdminValue = $this->is_admin ?? false; + if ($this->isUpdate() && isset($this->fetched_row['is_admin'])) { + $originalIsAdminValue = isTrue($this->fetched_row['is_admin'] ?? false); + } + + $currentUserReloaded = BeanFactory::getReloadedBean('Users', $current_user->id); + if (!is_admin($currentUserReloaded)) { + $this->is_admin = $originalIsAdminValue; + } + + } + + /** + * @return bool + */ + protected function isUpdate(): bool + { + return !empty($this->id) && !$this->new_with_id; + } } diff --git a/suitecrm_version.php b/suitecrm_version.php index bcb93259c2f..0c1ebd04c3a 100755 --- a/suitecrm_version.php +++ b/suitecrm_version.php @@ -3,5 +3,5 @@ die('Not A Valid Entry Point'); } -$suitecrm_version = '7.12.8'; -$suitecrm_timestamp = '2022-11-17 12:00:00'; +$suitecrm_version = '7.12.9'; +$suitecrm_timestamp = '2023-01-25 12:00:00';